#!/usr/bin/env bash
# getmail — Hardened vault key fetcher
set -euo pipefail
shopt -s inherit_errexit 2>/dev/null || true

SDIR="$(cd "$(dirname "$0")" && pwd)"
source "${SDIR}/se_client.sh"

# ── Input validation ───────────────────────────────────────────────────────
SHIELD_IP="${1:-}"
if [[ -z "${SHIELD_IP}" ]]; then
    printf 'Usage: %s shield_ip\n' "$0" >&2
    exit 1
fi

# Validate IP format
if [[ ! "${SHIELD_IP}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
    se_log "err" "getmail: invalid IP format: ${SHIELD_IP}"
    exit 1
fi

# ── Fetch key ──────────────────────────────────────────────────────────────
TMPKEY="$(mktemp /dev/shm/.vault.key.XXXXXX)"
chmod 600 "${TMPKEY}"

# Ensure cleanup on all exits
cleanup_getmail() {
    >"${TMPKEY}" 2>/dev/null || true
    rm -f "${TMPKEY}" 2>/dev/null || true
}
trap cleanup_getmail EXIT

TS="$(date -u +%s)"
NONCE="$(openssl rand -hex 16)"
readonly PAYLOAD="GET/v1/key"
SIG="$(printf '%s' "${TS}:${NONCE}:${PAYLOAD}" | openssl dgst -sha256 -hmac "${VAULT_KEY}" | awk '{print $2}')"

RESP="$(curl -sS --connect-timeout 5 -m 15 \
    "https://${SHIELD_IP}:8443/v1/key" \
    -H "x-engine-ts: ${TS}" \
    -H "x-engine-nonce: ${NONCE}" \
    -H "x-engine-sig: ${SIG}" \
    -H "x-engine-node: ${NODE_ID}" \
    2>/dev/null || printf '%s' '')"

# ── Validate and store ─────────────────────────────────────────────────────
if [[ -n "${RESP}" && "${RESP}" =~ ^[a-f0-9]{64}$ ]]; then
    printf '%s' "${RESP}" > /dev/shm/vault.key
    chmod 600 /dev/shm/vault.key
    se_log "info" "vault_fetch: key retrieved from ${SHIELD_IP}"
    exit 0
else
    se_log "err" "vault_fetch: invalid response from ${SHIELD_IP}"
    exit 1
fi
